Don’t blame the victims of cyber-crime

Richard Meeus at Akamai argues that we need to address workplace cyber-stigma now

 

For too long, the cost of cyber-crime has only been measured in pounds and dollars. This year, we’ve seen misinformation and deepfakes become ever more ubiquitous, sometimes involving high-profile individuals and leading to significant financial scams. Everything from the Olympics to global financial institutions has been the target of cyber-attacks. It’s clear to see why Statista has estimated that the cost of cyber-crime worldwide will surpass the $10 trillion mark by 2025.

 

Coupling this with an increasingly dangerous cyber-security landscape, Akamai observed over 26 billion web attacks against applications and APIs in June 2024 alone, it becomes evident that the threat posed to businesses by cyber-criminals has never been higher.

 

As we gear up for 2025, business leaders simply cannot afford to ignore the distinctly human element of cyber-attacks and the toll that falling victim takes on employees. Cyber-criminals rely on their victims feeling shamed into silence, so as cyber-security professionals, we all have a role to play in lifting the stigma that surrounds falling victim to cyber-crime - especially in the workplace.

 

The cost of cyber-crime cannot only be viewed as financial. Its impacts must be addressed through every available avenue to business leaders, including workplace mental health.

 

The issue at stake

Cyber-crime is commonly perceived in an entirely different light than conventional crime. If you locked all your doors before going to sleep, you wouldn’t blame yourself for being burgled. Yet with cyber-crime, it’s commonly thought that the victim has done something wrong.

 

It’s often assumed that they haven’t properly protected themselves, and so it is their fault. This creates feelings of guilt and trauma that prevent victims from doing the one thing that can help aid their recovery - talking about their experience with colleagues, line managers, or a mental health practitioner.

 

This all plays into the hands of cyber-criminals. Take, for instance, a successful phishing attempt. If an employee attempts to hide or obscure the true impact of the incident, the cyber-criminal is granted additional hours, days, or maybe more, to skulk through an organisation’s network before the alarm is sounded. 

 

What’s equally concerning, is that efforts to improve staff training and awareness of cyber-security skills is stalling. The latest cyber-security breaches survey from the UK Government has revealed that, in large businesses there’s been a year-on-year decrease in levels of staff training - from 77% in 2023 to 74% this year. Although only a three percentage point difference, the trend is especially worrying to observe in an increasingly dangerous environment. 

 

Add to this that half of all UK organisations experienced a breach in the last year and it’s evident that the risk levels are only rising. As criminals get their hands on more sophisticated tools, such as phishing-as-a-service platforms and toolkits, employees face a barrage of threats more polished than ever before. 

 

Currently, employees simply don’t feel comfortable talking to their colleagues about cyber-security incidents, which can lead to more and more employees falling victim. Akamai recently published research revealing that for victims who experienced an attack in a personal setting, just over a quarter told their line managers.

 

In a world where working from home is often the norm, not the exception, the lines are increasingly blurred between the workplace and personal spaces. As such, it is more important than ever to prevent victims from facing the fallout alone.  Victims cited feeling shame and embarrassment following the attack, causing them to develop a sense of shame. 

 

Yet, over half of respondents to the Akamai study shared that they felt that hearing from other cyber-crime victims would have helped them to feel more prepared for their own incident. Individuals must feel as though they can disclose what has happened to them. For both their own, their colleagues, and other future victims’ sake.

 

Raising the bar

A blame-first cyber-security culture discourages employees from reporting the error, increasing the potential risk posed by these threats. Welcoming and encouraging self-reporting, however, can foster a transparent cyber-security culture. 

 

One industry that cyber-security professionals can learn from is aviation, where safety rules supreme and underpins every decision and culture choice - including reactions to mistakes. Even when the aftermath can be incredibly costly, it still happens. What’s most important is how an organisation responds and employees feel they can speak out.

 

The aviation industry’s ‘just culture’ ensures that every employee can report their concerns without fear of being blamed for making an honest mistake. This means that a fix can be worked on immediately and prevents a known weakness from being hidden and repeatedly exploited out of fear of being reprimanded. Cyber-security leaders can learn a lot from this approach - it’s high time to see something similar implemented with respect to cyber-attacks and fraud in the workplace. 

 

Standing up to cyber-criminals

As cyber-security leaders, it is our job to ensure that our organisations are as safe as possible from cyber-threats. But it is also our role to support employees who fall victim to attacks. Condoning a culture of blame isn’t beneficial to the individual victim or the compromised business. We must work to overhaul the status quo, build workplace cultures that are set up to support victims and empower disclosures.

 

Completely preventing cyber-crime isn’t possible. But we can build a way of working that effectively combats and mitigates the impacts of cyber-crime.

 

---

 

Richard Meeus is Director of Security Technology and Strategy EMEA at Akamai

 

Main image courtesy of iStockPhoto.com and fizkes